A secure and high-performance multi-controller architecture for software-defined networking

Controllers play a critical role in software-defined networking (SDN). However, existing single-controller SDN architectures are vulnerable to single-point failures, where a controller’s capacity can be saturated by flooded flow requests. In addition, due to the complicated interactions between applications and controllers, the flow setup latency is relatively large. To address the above security and performance issues of current SDN controllers, we propose distributed rule store (DRS), a new multi-controller architecture for SDNs. In DRS, the controller caches the flow rules calculated by applications, and distributes these rules to multiple controller instances. Each controller instance holds only a subset of all rules, and periodically checks the consistency of flow rules with each other. Requests from switches are distributed among multiple controllers, in order to mitigate controller capacity saturation attack. At the same time, when rules at one controller are maliciously modified, they can be detected and recovered in time. We implement DRS based on Floodlight and evaluate it with extensive emulation. The results show that DRS can effectively maintain a consistently distributed rule store, and at the same time can achieve a shorter flow setup time and a higher processing throughput, compared with ONOS and Floodlight.

[1]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[2]  David Walker,et al.  Incremental consistent updates , 2013, HotSDN '13.

[3]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[4]  David R. Karger,et al.  Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web , 1997, STOC '97.

[5]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[6]  Yashar Ganjali,et al.  Kandoo: a framework for efficient and scalable offloading of control applications , 2012, HotSDN '12.

[7]  Ratul Mahajan,et al.  On consistent updates in software defined networks , 2013, HotNets.

[8]  Marco Canini,et al.  OF.CPP: consistent packet processing for openflow , 2013, HotSDN '13.

[9]  Yashar Ganjali,et al.  HyperFlow: A Distributed Control Plane for OpenFlow , 2010, INM/WREN.

[10]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[11]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[12]  Aaron Gember,et al.  Pratyaastha: an efficient elastic distributed SDN control plane , 2014, HotSDN.

[13]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[14]  Parag Agrawal,et al.  The case for RAMClouds: scalable high-performance storage entirely in DRAM , 2010, OPSR.

[15]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[16]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[17]  Prashant Malik,et al.  Cassandra: a decentralized structured storage system , 2010, OPSR.

[18]  Rick McGeer,et al.  A safe, efficient update protocol for openflow networks , 2012, HotSDN '12.

[19]  Subharthi Paul,et al.  Software Defined Application Delivery Networking , 2014 .

[20]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[21]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[22]  David Walker,et al.  Abstractions for network update , 2012, SIGCOMM '12.